On Wednesday, August 17, 2016, the Future of Privacy Forum (FPF) released a set of detailed guidelines for the collection and use of consumer-generated wellness data. The document, Best Practices for Consumer Wearables & Wellness Apps & Devices, was drafted by FPF with input from a wide range of stakeholders, including privacy advocates, companies, and regulators. The Best Practices guidelines set forth a Fair Information Practice Principles (FIPPs)-based trust framework that builds on existing legal expectations to provide a set of best practices designed to result in providing appropriate protections in light of the nature and sensitivity of the data.
On July 25, 2016, Hogan Lovells hosted a Silicon Valley dinner as part of its 2025 dinner series. The theme of the dinner was “I’m from Mars, You’re from Venus: The Tech Community and its Future Relationship with Government”. The discussion, moderated by Deirdre Mulligan of UC, Berkeley, focused on the tech community’s view of regulatory, law enforcement and national security issues, here in the U.S., as well as in Europe; and how the tech industry will be impacted by the upcoming U.S. elections as well as Brexit.
A new report from the Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) highlights data protection gaps in the U.S. for health data from wearable devices, social media, and emerging technologies. The report, “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA,” identifies several areas in which privacy and security protections for health data have lagged behind technological developments that are expanding the collection of health data outside the traditional venues for health care. Continue Reading
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is taking an aggressive stand on HIPAA enforcement and targeting violations related to security risk assessments and business associate agreements. Three resolution agreements posted in the last month make clear that the agency expects entities subject to HIPAA to take appropriate steps to secure their data, regardless of the size or type of the entity.
In a case that could have far-reaching implications for how companies are held liable for data security lapses, the FTC issued an order and opinion unanimously overturning its Chief Administrative Law Judge’s (ALJ) November 2015 dismissal of charges that LabMD’s allegedly lax data security measures were unfair practices under Section 5 of the FTC Act (see our coverage of the ALJ’s decision here). The FTC found that the ALJ applied the incorrect legal standard for unfairness—that the question was not whether LabMD’s data security practices were “likely to cause” “substantial consumer injury”, but whether they presented a “significant risk” of injury. The FTC went on to issue its own legal and factual findings that LabMD’s data security practices were unreasonable and unfair.
The FTC’s decision marks another twist in a long-running dispute about whether allegedly lax security procedures can, on their own, result in liability when there has not been demonstrated harm to consumers, a line of reasoning that some worry will expose victimized companies to liability. For the time being the FTC’s decision provides grounds for counseling companies to take steps to ensure their data security programs are aligned with industry standards or best practices. The Commission’s decision reinforces its role as a key player in the field of data security, a role that received additional support in last year’s Wyndham decision in the Third Circuit (see our coverage of that decision here). Continue Reading
Thank you to everyone who participated in last week’s webinar “Privacy Shield: What You Need to Know.”
In this complimentary webinar, Julie Brill, Tim Tobin, and Bret Cohen of Hogan Lovells’ Washington office, and Eduardo Ustaran of our London office explored:
- What do companies need to do to sign up to the Privacy Shield?
- How do companies demonstrate compliance with the Privacy Shield principles?
- What will it take to move from Safe Harbor to Privacy Shield?
- What are the pros and cons of Privacy Shield as compared to other EU cross-border transfer mechanisms?
- What is the long-term viability of Privacy Shield?
To access the a copy of the slide deck, click here.
To access the recorded webinar, click here.
Stay tuned to the blog for future updates , including any interpretations or next-steps guidance from the European data protection authorities, the U.S. Department of Commerce, or the Federal Trade Commission.
The Department of Health and Human Services (HHS) released guidance on July 11, 2016, intended to help the healthcare industry prepare for and respond to ransomware attacks. Specifically, this guidance clarifies: (1) that a ransomware attack is considered a “security incident” under HIPAA, and (2) that a ransomware attack will typically be considered a “breach” by HHS unless entities are able to demonstrate that there is a “low probability of compromise.” The guidance also clarifies that covered entities must implement the same risk assessment processes as they would with other types of cyber threats, including malware. At a time when ransomware attacks are on the rise, this guidance heightens the potential regulatory enforcement consequences of these events. Continue Reading
In less than one week, on August 1, U.S. companies may begin to submit self-certifications to the EU-U.S. Privacy Shield framework at www.privacyshield.gov. Those companies that previously certified to the predecessor Safe Harbor framework are in a particularly good position to certify to the Privacy Shield, which built upon Safe Harbor’s core principles by adding meaningful substantive and procedural privacy protections for EU individuals.
The U.S. Department of Education and Department of Justice (“Departments”) recently weighed in on the obligations of school districts, colleges, and universities to provide civil rights protections for transgender students. On May 13, 2016, the Departments issued a Dear Colleague Letter (“DCL”) that summarizes the responsibilities of school districts, colleges, and universities that receive federal financial assistance under the Departments’ interpretation of federal law, including Title IX of the Education Amendments of 1972 (“Title IX”) and the Family Education Rights and Privacy Act (“FERPA”). Here, we focus on the DCL’s guidance pertinent to compliance with FERPA. Continue Reading
The much anticipated Privacy Shield framework for the transfer of data between the EU and U.S. received final approval from the European Commission on 12 July 2016. With this important data transfer mechanism available to companies at the beginning of August, the Hogan Lovells Privacy and Cybersecurity team will answer your questions in a webinar Wednesday, 27 July.
CLE credit will be available.